🚨 [security] Update multer 1.4.2 → 2.0.0 (major) #315
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳️ multer (1.4.2 → 2.0.0) · Repo · Changelog
Security Advisories 🚨
🚨 Multer vulnerable to Denial of Service via memory leaks from unclosed streams
🚨 Multer vulnerable to Denial of Service from maliciously crafted requests
Release Notes
1.4.4 (from changelog)
1.4.3 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 68 commits:
🐛 drain stream. fixes regression in node 18, remove old CI, set minimum node version, fix readme badges, add .npmrcci: add ci pipeline to `lts` branch (#1302)version: 1.4.5-lts.2history: 1.4.5-lts.2test: add test for out-of-band error eventMerge pull request #1177 from max-mathieu/fix/unhandled-busboy-errorFix out-of-band error event from busboyversion: 1.4.5-lts.1history: 1.4.5-lts.1version: 1.4.4-lts.1history: 1.4.4-lts.1fix(cve): bump busboy to fix CVE-2022-24434version: 1.4.4history: 1.4.4Handle missing field names (#913)Fix spelling misstakes in README-es.mdMerge pull request #803 from khacpv/masterMerge branch 'master' into masterMerge pull request #948 from Collabos/masterversion: 1.4.3history: 1.4.3Merge pull request #1024 from jonchurch/readme-var-to-constdoc: update var to const in all ReadmesMerge pull request #1020 from Henrique-Moura/patch-1Update README-pt-br.mddocs: fix BR typodocs: translated Spanish from Translationdocs: translated Spanish from Translationdocs: Add korean translation of englishdocs: Add spanish translationdocs: Translate "Brazilian Portuguese" to Chinesedocs: Translated "Brazilian Portuguese" to koreandocs: Translated the languages to Spanishdocs: Add Spanish docs to Translationsdocs: Fix langs translationdocs: Add Spanish docs to Translationsdocs: Add Spanish docs to TranslationsMerge pull request #1 from Collabos/x-N0-typo-fixFix: Multiple Typos, chars and wordsMerge pull request #877 from carlosstenzel/masterMerge pull request #862 from jonchurch/mkdirp-bumpMerge pull request #878 from expressjs/standard14package: bump standardCorrections in translationMerge pull request #758 from carlosstenzel/masterMerge pull request #580 from tsando/masterMerge pull request #838 from LautaroJayat/translation-esMerge pull request #869 from CrazyNoodl/fix-russian-docfixed few mistake in russian docbump mkdirp versionMerge pull request #774 from gireeshpunathil/modernize-randombytesMerge pull request #775 from gireeshpunathil/doc-cb-null-paramAdd Math.random() to storage filename example (#841)Added spanish translation of README.mdUpdate README.mdUpdate README.mdadd vietnamese language README.mddoc: clarify the callback calling conventionstorage: replace deprecated pseudoRandomBytes with randomBytesUpdate README-zh-cn.mdUpdate README-ru.mdUpdate README-ko.mdUpdate README.mdUpdate README.mdUpdate README-zh-cn.mdUpdate README-ru.mdUpdate README-ko.mdCreate README-pt-br.md✳️ chart.js (2.9.1 → 2.9.4) · Repo
Security Advisories 🚨
🚨 Prototype pollution in chart.js
Release Notes
2.9.4
2.9.3
2.9.2
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Release Notes
1.1.2
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 5 commits:
🚢 1.1.2🐛 Avoid error on non-Node.js environments🌹 Remove package lock file🌹 Bump js-yaml in package lock🌹 Bump Standard to v12Commits
See the full diff on Github. The new version differs by 31 commits:
package: bump version to v1.6.0multipart: ignore remaining data instead of forcefully endingpackage: bump version to v1.5.0multipart: handle empty data from streamsearchreadme: fix deprecated os.tmpDir in examplelib: add support for default param charset for non-extended paramspackage: bump version to v1.4.0lib: make the module easier to bundle againreadme: fix README `mimeType` parameter inconsistencypackage: bump version to v1.3.0multipart: fully reset state on successful header parsepackage: bump version to v1.2.0multipart: only skip parts with bad headerspackage: bump version to v1.1.0test: fix lint issuemultipart: fix file stream stalling with lookbehind datareadme: fix markdown renderingreadme: fix examplereadme: add link to v1.0.0 changespackage: bump version to v1.0.0lib,test: rewrite implementationci: add node v12lib: don't decode params with encodings twicebump versionreadme: fix node version to match package.jsonlib: simplify basename()bump versionci: update node brancheslib,test: remove readable-stream, use new Buffer APImultipart: fix hang when upstream stops readingreadme: remove pledgie linkCommits
See the full diff on Github. The new version differs by 10 commits:
package: bump version to v1.1.0package: update dev dependency versionslib: simplify range checks and data copyinglib: improve performancelib: add destroy() and additional callback argumentpackage: bump version to 1.0.0ci: add workflows for test running and lintingmodernize and optimize code, add tests and a lint configlib: more DRYlint🗑️ dicer (removed)
🗑️ emoji-regex (removed)
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands